RE: Source-sensitive Routing ...

From: Eric Six (esix@dra.com)
Date: 12/07/01


From: Eric Six <esix@dra.com>
To: "'Eric Schroeder'" <ericschroeder@satel.com>, rakesh@isac.ernet.in
Date: Fri, 7 Dec 2001 13:18:28 -0600 


NAT from the router would be fine. Does 11.0 support this though. But why do
this with the router? The proxy server should be able to do source based
routing. And besides.. coming out the proxy, the source address looks like 1
ip address.

Router wise he has to be running RIP or GRP to his ISP, but I think those
need at least 11.3 to function on a consistent basis with 'modern' IOS
routers? All mine are 11.3~12.2. Static routes would be more desirable..
10.5.1.0 255.255.255.0 out one interface 10.5.2.0 255.255.255.0 out another,
but again I think the proxy server in there would cause some issues.

From the drawing, I think the proxy server has a real ip address and is
doing the NAT to the internal network? I think the easier solution would be
throw another nic card in the proxy, make it's ip the same as your second
isp's. Then from your internal, do the source based routing ie whichever
address range goes to isp one or two is routed from the proxy server itself
to the proper nic card on the external network.

This might prove fun with a ms proxy...

Does this help? Maybe I am confused.. it is friday ;)

Cheers,
Eric

-----Original Message-----
From: Eric Schroeder [mailto:ericschroeder@satel.com]
Sent: Thursday, December 06, 2001 12:18 PM
To: rakesh@isac.ernet.in
Cc: security-basics@security-focus.com
Subject: Re: Source-sensitive Routing ...

One way to do this is to use BGP. This load balances ok if you have two
Teir 1 providers, but will not load balance otherwise. The advantage is
this is the only way to provide uptime if one of the ISPs goes down unless
you do NAT on the Cisco 2514. You may have problems running BGP on a
2514, but I think this will work as long as you only get routes to connect
hosts from each ISP, and then set the default route to the least used
link.

Hope this helps.

Eric Schroeder

rakesh@isac.ernet.in
12/05/2001 09:44 PM

 
        To: security-basics@security-focus.com
        cc:
        Subject: Source-sensitive Routing ...

Dear memebers,
                                 I have the following network
configuration:

                 --------------------------------------------------------
                 | |
                 | 10.x.x.x |
                 | |
                 --------------------------------------------------------
                                                                 |
                                                                 |
                                                 ----------------------
                                                 | Dual Homed Gateway |
                                                 ----------------------
                                                                 |
                                                                 |
                                                 --------+-------------
                                                 | Cisco 2514 Dual LAN |
                                                 | Router |
                                                 | |
                                                 | wan1 wan2 |
                                                 ---+------------+-----
                                                    | |
                                                    | |
                                                    | |
                                       ISP1 | |
ISP2
                                 ========================================
                                 + +
                                 + INTERNET
                 +
                                 + +
                                 ========================================

All our clients in the private network address (10.x.x.x). Using the
Proxy Server at Dual homed gateway, these clients get connected to
Internet using ISP1 link. Recently we have received another link for
Internet connection from ISP2. Hence we are planning to route some of the
clients of private network address(10.x.x.x) through ISP1 link and the
remaining ones through ISP2 link, using Cisco 2514 Dual LAN Router
running IOS software 11.0. After reading the Cisco documents, I came to
know that this is possible through SOURCE-SENSITIVE routing at the
Router.

I want to know the followings:
1. Is there any alternative way(s) to achieve this goal using the same
   router having two WAN interfaces?
2. What are the security issues related to SOURCE-SENSITIVE routing ?

Waiting for your suggestions ....

Rakesh Kumar
============

-------------------------------------------------